To use Cyware you must have cookies enabled. By Registering or Signing in, you agree to our Terms and Privacy Policy. You can also signup using Google Account. We will not use your credentials to import contacts or post anything on your account without your permission.For more info, please see Login FAQ.

IcedID and Trickbot botnet operators band together to target victims and share the profit

Security researchers have discovered the botnet operators behind the infamous banking trojans IcedID and TrickBot are now collaborating to target victims together and share the spoils. According to Flashpoint researchers, recently analyzed samples revealed that computers infected with the IcedID malware also seemed to be downloading Trickbot - considered to be the successor to the prolific banking Trojan Dyre - as well.

"It appears that attackers now send IcedID directly as spam, and that piece of malware acts as a downloader that installs TrickBot, which in turn installs other modules on victims’ machines," researchers said in a blog post. "While it is typically unusual to find two different malware families infecting the same machine, Flashpoint analysts have determined through source intelligence with knowledge of both parties’ operations that there are indications of extensive collaboration between these two fraud operators.

"Human fraudsters are central to this cybercrime model; the TrickBot operators, for example, leverage automated attacks and knowledgeable fraud operators who review compromised data from victims’ machines and can carry out real-time account takeover (ATO) operations."

"First, the attacks are complex; while the malware’s main capabilities are its use of token grabbers, redirection attacks, and webinjects to steal banking credentials, there are other modules at the operators’ disposal that allow them to have deep coverage of a victim’s machine and expand the breadth and scope of an attack, thereby allowing them to derive additional potential sources of profit from a successful compromise," Flashpoint notes.

This combined operation also has the ability to carry out account checking or credential stuffing, enabling the attackers to determine the value of a victim's machine and their access. The attackers can then assess and leverage higher-value targets for network penetration while using lower-rung victim systems for cryptocurrency mining.

"Linguistic analysis and an investigation into TrickBot and IcedID botnet operations reveals that the campaign involving a botnet belongs to a small group that commissions or buys the banking malware, manages the flow of infections, makes payments to the project’s affiliates (traffic herders, webmasters, mule handlers), and receives the laundered proceeds," researchers explain.

Flashpoint has assessed with "high confidence" that a head of operations is likely overseeing this complex network of actors within which they only know each other by aliases, despite working together for years. Affiliates within this ecosystem are specialists within their own domains, each of which deliver value to the botnet owner. However, they each act independently and leverage their own set of closed networks to accomplish a task.

Meanwhile, the TrickBot and IcedID botmaster is responsible for monitoring the botnet and its subsequent hold on its victim's online activities.

"The organizational complexity of these projects, along with the stringent security practices exercised by everyone throughout the supply chain, poses a significant challenge to investigations," researchers said. "Based on the close collaboration between TrickBot and IcedID operators and their shared backend infrastructure, it is likely that the operators will likely continue to closely collaborate on cashing out stolen accounts."

The extent of the attacks and amount of money stolen through this collaborated effort is still unclear. However, Flashpoint notes that this pairing up does signal that "fraud masters and malware developers are continuing to foster collaborative fraud operations targeting corporations in an attempt to bypass the latest anti-fraud measures."

Who we are

Cyware is a first-of-its-kind, comprehensive cyber situational awareness platform, designed to help you stay informed about the latest happenings in the cyber world with expertly curated news stories and updates.

Our Technology

Let IBM's Watson Find the Right News For You

The cyber threat landscape is changing rapidly, and cybersecurity news has claimed its spot on the front pages in recent months. It's not easy to find the right information from tens of thousands of cyber news articles and feeds published every day. Our machine learning based curation engine brings you the most relevant cyber content based on your needs.

Receive Daily Cyber News in Your Inbox

From the latest cyber security trends and innovations to new malware, vulnerabilities and threat intelligence, we bring you the most up-to date and relevant cyber updates and news alerts.